Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

With firewalls becoming increasingly complex, buying one can be a confusing experience. And even when you've identified requirements you need for your firewall, trudging through each vendor's website and datasheets is a time-consuming process. This guide makes finding the right firewall easy for you, pulling together critical capabilities and features you should have. Read Now: http://www.sans.org/info/195965

US Senators Ask White House to Order Analysis of Russia's Ability to Disrupt US Energy Grid
(June 22, 2017)

Nineteen US Senators have written a letter asking the White House "to direct the Department of Energy (DoE) to conduct a thorough analysis of Russian capabilities with respect to cyberattacks on our energy infrastructure." Legislators made a similar request in March but received no response.
[Editor Comments]
[Murray] Electrical generation and distribution is the infrastructure on which we are most dependent, ranking ahead of communication and finance. It demonstrates its resilience against weather, component failure, and human error on a daily basis. That said, we know that it remains vulnerable to malicious mis-operation. The public does not know its resilience in the face of such attacks as we have seen in Ukraine. We do not know whether controls have been compromised in advance of and in contemplation of such attacks. While one can understand that Congress would like the answer to these questions, one would expect the answers to be "classified."
Read more in:
Wired: Senators Push Trump for Answers on Power Grid Malware Attack
https://www.wired.com/story/congress-trump-power-grid-malware-letter/
US Senate: Letter Seeking DoE Analysis of Russia's Cyber Capability to Disrupt Energy Infrastructure
https://www.energy.senate.gov/public/index.cfm/files/serve?File_id=7E986259-2284-4FD3-A9ED-F2E7E6EE21CB

German Police Get Broader Hacking Powers
(June 23, 2017)

Germany's Parliament has passed legislation that extends law enforcement's authority to break into suspects' phones and computers. Until now, police have had the authority to hack into people's phones and computers in instances of suspected terrorism. The amendment expands the scope of cases in which police can use the techniques, known as Staatstrojanern, to include any case in which they would be permitted to tap a suspect's phone. The change was made as an amendment to a law dealing with driving bans.
Read more in:
ZDNet: Police get broad phone and computer hacking powers in Germany
http://www.zdnet.com/article/police-get-broad-phone-and-computer-hacking-powers-in-germany/

Guilty Plea in Utility Smart Meter Reader Hack
(June 25 & 26, 2017)

A man who used to work for a company that manufacturers remote utility meter-reading equipment has admitted to using his knowledge of the systems to disable equipment in several states. Adam Flanagan pleaded guilty to two counts of unauthorized access to a protected computer. He was sentenced to a year in prison and fined 40 thousand USD. Flanagan had worked as an engineer setting up Tower Gateway Basestations (TGBs), which collect data from area customers' smart meters and send the information to the company's main systems. He was fired in November 2013; the incidents took place during the spring of 2014.
[Editor Comments]
[Neely] Making sure that accounts are disabled/changed on employee termination or transfer is key and can be difficult. It should both be a step in the termination process. Active accounts should also be reviewed, at least annually, to expose terminate employees who still have access. If disabled accounts can't be deleted, then monitor and alert on their use.
[Stephen Northcutt] Mr. Flanagan faced 90 years, was sentenced to one; that will not serve as a deterrent. The BleepingComputer story has similar fired-insider stories at the bottom of their writeup. According to the DOJ, the "boot" hacker, Mr. Venzor, was supposed to be sentenced earlier this month:
https://www.justice.gov/usao-wdtx/pr/former-el-paso-based-company-employee-pleads-guilty-computer-intrusion
I can't find anything on it. If you have a source, please drop stephen@sans.edu a note.
Read more in:
BleepingComputer: Fired Employee Hacks and Shuts Down Smart Water Readers in Five US Cities
https://www.bleepingcomputer.com/news/security/fired-employee-hacks-and-shuts-down-smart-water-readers-in-five-us-cities/
Ars Technica: Some beers, anger at former employer, and root access add up to a year in prison
https://arstechnica.com/security/2017/06/ex-technician-convicted-of-possibly-drunken-attack-on-smart-water-meter-system/

CIA Technique to Infect Air-Gapped Computers
(June 22, 2017)

Documents posted on WikiLeaks provide information about a technique allegedly used by the CIA to infect air-gapped computers. Known as "brutal Kangaroo," the method involves USB drives. One tool called Drifting Deadline is installed on a broad range of computers and infects all USB drives attached to it. Those in turn will infect computers into which they are plugged.
[Editor Comments]
[Murray] Practice good hygiene. Do not take storage devices from strangers. Do not put your storage device in others' machines. Do not allow others to put their storage device in your machine. Use anti-virus and other protection. Do not rely upon representations made to you by strangers as to the state of their health.
[Williams] The Brutal Kanagaroo documents outline a previously unknown vulnerability in LNK file parsing involving junctions, a vital roadmap for attackers wishing to create an exploit.
Read more in:
Ars Technica: How the CIA infects air-gapped networks
https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/